About trialing GitHub Advanced Security
You can trial GitHub Advanced Security independently, or working with an expert from GitHub or a partner organization. The primary audience for these articles is people who will plan and run their trial independently, typically small and medium-sized organizations.
Note
Although GitHub Advanced Security is free of charge during trials, you will be charged for any actions minutes that you use. That is, actions minutes used by the code scanning default setup or by any other workflows you run.
Existing GitHub Enterprise Cloud users
You can set up a trial if you pay for GitHub Enterprise Cloud by credit card or PayPal, or if you are already taking part in a free trial of GitHub Enterprise Cloud. For more information, see Setting up a trial of GitHub Advanced Security.
If you pay by invoice, contact GitHub's Sales team to discuss trialing GitHub Advanced Security features for your enterprise.
Users on other GitHub plans
You can trial GitHub Advanced Security as part of a trial of GitHub Enterprise Cloud. For more information, see Setting up a trial of GitHub Enterprise Cloud.
When the trial ends
You can end your trial at any time by purchasing GitHub Secret Protection or GitHub Code Security. If you don't already use GitHub Team or GitHub Enterprise, you will need to upgrade your plan. Alternatively, you can cancel the trial at any time.
Define your company goals
Before you start a trial, you should define the purpose of the trial and identify the key questions you need to answer. Maintaining a strong focus on these goals will enable you to plan a trial that maximizes discovery and ensures that you have the information needed to decide whether or not to upgrade.
If your company already uses GitHub, consider what needs are currently unmet that Secret Protection or Code Security might address. You should also consider your current application security posture and longer term aims. For inspiration, see Design Principles for Application security in the GitHub well-architected documentation.
| Example need | Features to explore during the trial |
|---|---|
| Enforce use of security features | Enterprise-level security configurations and policies, see About security configurations and About enterprise policies |
| Protect custom access tokens | Custom patterns for secret scanning, delegated bypass for push protection, and validity checks, see Exploring your enterprise trial of GitHub Secret Protection |
| Define and enforce a development process | Dependency review, auto-triage rules, rulesets, and policies, see About dependency review, About Dependabot auto-triage rules, About rulesets, and About enterprise policies |
| Reduce technical debt at scale | Code scanning and security campaigns, see Exploring your enterprise trial of GitHub Code Security |
| Monitor and track trends in security risks | Security overview, see Viewing security insights |
If your company doesn't use GitHub yet, you are likely to have additional questions including how the platform handles data residency, secure account management, and repository migration. For more information, see Getting started with GitHub Enterprise Cloud.
Identify the members of your trial team
GitHub Advanced Security enables you to integrate security measures throughout the software development life cycle, so it's important to ensure that you include representatives from all areas of your development cycle. Otherwise you risk making a decision without having all the data you need. A trial includes 50 licenses which provides scope for representation from a wide range of people.
You may also find it helpful to identify a champion for each company need that you want to investigate.
Determine whether preliminary research is needed
If members of your trial team have not yet used the core features of GitHub Advanced Security, it may be helpful to add an experimentation phase in public repositories before you start a trial. Many of the primary features of code scanning and secret scanning can be used on public repositories. Having a good understanding of the core features will allow you to focus your trial period on private repositories, and exploring the additional features and control available with Secret Protection and Code Security.
For more information, see About secret scanning, About code scanning, and About supply chain security.
Organizations on GitHub Team and GitHub Enterprise can run a free report to scan the code in their organization for leaked secrets. This can help you understand the current exposure of the repositories in your organization to leaked secrets, as well as see how many existing secret leaks could have been prevented by Secret Protection. See About the secret risk assessment.
Agree the organizations and repositories to test
Generally it is best to use an existing organization for a trial. This ensures that you can trial the features in repositories you know well and that accurately represent your coding environment. Once you start the trial, you may want to create additional organizations with test code to expand your explorations.
Be aware that deliberately insecure applications, such as WebGoat, may contain coding patterns that appear to be insecure, but which code scanning determines cannot be exploited. Code scanning typically generates fewer results for artificially insecure codebases than other static application security scanners.
Define the assessment criteria for the trial
For each company need or goal that you identify, determine what criteria you will measure to determine whether it is successfully met or not. For example, if one need is to enforce the use of security features, you might define a range of test cases for security configurations and policies to give you confidence that they enforce processes as you expect.